openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #22729
Re: grizzly swift keystone, http to 8080/8888 wont work
Thanks for your quick reply, Simon,
The role ResellerAdmin does exists and looks good, does it?
root@ns-proxy01:/etc/swift# keystone user-get ceilometer
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | cde44fe9c6d446da99ea370b88ec7d63 |
| name | ceilometer |
| tenantId | 054ca85bca2e44c29cf4730e1450517f |
+----------+----------------------------------+
root@ns-proxy01:/etc/swift# keystone user-role-list --user-id
cde44fe9c6d446da99ea370b88ec7d63 --tenant-id
054ca85bca2e44c29cf4730e1450517f
+----------------------------------+---------------+----------------------------------+----------------------------------+
| id | name | user_id
| tenant_id |
+----------------------------------+---------------+----------------------------------+----------------------------------+
| c2df2bc0fd6f404794565f10cc0e5e7a | ResellerAdmin |
cde44fe9c6d446da99ea370b88ec7d63 | 054ca85bca2e44c29cf4730e1450517f |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
cde44fe9c6d446da99ea370b88ec7d63 | 054ca85bca2e44c29cf4730e1450517f |
+----------------------------------+---------------+----------------------------------+----------------------------------+
And i can see ceilometer log entrys, counting bytes. So that looks good.
My issue it, that with the old swauth setup there was a real simple web
based user manager.
surfing to "http://my.swift.proxy:8888/auth/" was the entry url to this
sort of user manager. But now, after the change to keystone, i get http
result codes like 412 or 401.
Since i inherit this setup i even do not know for sure if this
swift-user-manager it actually a part of swift. i believe so.
Can please one confirm which urls do work on swift-proxy http port
8080/8888 (proxy-server.conf -> [DEFAULT] -> bind_port). Should "/auth/"
return a page?
Thank you. Axel
Am 16.04.13 12:41, schrieb Simon Pasquier:
> Hi,
> I'm not sure to understand exactly your issue but since your setup
> includes ceilometer, I can just give you a hint for the ceilometer/swift
> integration.
> You have to create a 'ResellerAdmin' role and assign that role to your
> ceilometer user. Alternatively you can define the 'reseller_admin_role'
> parameter (default value=ResellerAdmin) in the [filter:authtoken]
> section of /etc/swift/proxy-server.conf.
> Cheers,
> Simon
>
> Le 16/04/2013 12:04, Axel Christiansen a écrit :
>> Dear List,
>>
>>
>> i got stuck with a setup of openstack grizzly. This setup consists of:
>>
>> - swift proxy 1.0.8.1
>> - swift storage nodes 1.0.8.1
>> - keystone
>> - ceilometer
>>
>>
>> I kept browsing the web and reading openstack docs for days now and
>> can't just get it working right. Because of openstacks diversity a
>> wasn't able to find something really similar to my situation.
>>
>>
>> The thing is, i changed swift-proxy from using swauth to keystone.
>> Keystone and swift-proxy do interact all right as fare as i can say.
>> What i can't get working is that simple webpage which gave the ability
>> to log in as superuser, adding new user and so on. It is that webpart
>> that connects to the proxy on port 8080, respectively port 8888.
>>
>>
>> Thx o lot for taking a look into this.
>> Axel
>>
>>
>>
>>
>> Theses are the browser urls i try:
>>
>> (delay_auth_decision = 1)
>> http://the.swift.proxy:8888/auth/
>> bad url
>> Apr 16 11:49:31 ns-proxy01 swift-proxy Calling Swift3 Middleware (txn:
>> txcfde073b9ffe4f379da392056e2176de)
>> Apr 16 11:49:31 ns-proxy01 swift-proxy {'headers': {'Accept-Language':
>> 'de-de,de;q=0.8,en-us;q=0.5,en;q=0.3', 'Accept-Encoding': 'gzip,
>> deflate', 'Host': 'backend', 'Accept':
>> 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
>> 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:20.0)
>> Gecko/20100101 Firefox/20.0', 'Connection': 'close', 'Content-Type':
>> None}, 'environ': {'SCRIPT_NAME': '', 'REQUEST_METHOD': 'GET',
>> 'PATH_INFO': '/auth/', 'SERVER_PROTOCOL': 'HTTP/1.0', 'HTTP_USER_AGENT':
>> 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:20.0) Gecko/20100101
>> Firefox/20.0', 'HTTP_CONNECTION': 'close', 'eventlet.posthooks': [],
>> 'SERVER_NAME': '10.42.44.101', 'REMOTE_ADDR': '10.42.44.5',
>> 'eventlet.input': <eventlet.wsgi.Input object at 0x1d93f10>,
>> 'wsgi.url_scheme': 'http', 'SERVER_PORT': '8888', 'wsgi.input':
>> <swift.common.utils.InputProxy object at 0x2691050>, 'HTTP_HOST':
>> 'backend', 'swift.cache': <swift.common.memcached.MemcacheRing object at
>> 0x268a750>, 'wsgi.multithread': True, 'HTTP_ACCEPT':
>> 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
>> 'wsgi.version': (1, 0), 'GATEWAY_INTERFACE': 'CGI/1.1', 'wsgi.run_once':
>> False, 'wsgi.errors': <swift.common.utils.LoggerFileObject object at
>> 0x1656190>, 'wsgi.multiprocess': False, 'HTTP_ACCEPT_LANGUAGE':
>> 'de-de,de;q=0.8,en-us;q=0.5,en;q=0.3', 'swift.trans_id':
>> 'txcfde073b9ffe4f379da392056e2176de', 'CONTENT_TYPE': None,
>> 'HTTP_ACCEPT_ENCODING': 'gzip, deflate'}}
>> Apr 16 11:49:31 ns-proxy01 swift-proxy Authorizing as anonymous (txn:
>> txcfde073b9ffe4f379da392056e2176de)
>> Apr 16 11:49:31 ns-proxy01 swift-proxy 10.42.44.5 10.42.44.5
>> 16/Apr/2013/09/49/31 GET /auth/ HTTP/1.0 412 -
>> Mozilla/5.0%20%28Macintosh%3B%20Intel%20Mac%20OS%20X%2010.8%3B%20rv%3A20.0%29%20Gecko/20100101%20Firefox/20.0
>>
>> - - 7 - txcfde073b9ffe4f379da392056e2176de - 0.0003 -
>>
>>
>> (delay_auth_decision = 0)
>> http://the.swift.proxy:8888/auth/
>> 401 Unauthorized
>> Apr 16 11:56:35 ns-proxy01 swift-proxy Calling Swift3 Middleware (txn:
>> tx508b08866bbc410399543d98cafa2856)
>> Apr 16 11:56:35 ns-proxy01 swift-proxy {'headers': {'Accept-Language':
>> 'de-de,de;q=0.8,en-us;q=0.5,en;q=0.3', 'Accept-Encoding': 'gzip,
>> deflate', 'Host': 'backend', 'Accept':
>> 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
>> 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:20.0)
>> Gecko/20100101 Firefox/20.0', 'Connection': 'close', 'Cache-Control':
>> 'max-age=0', 'Content-Type': None}, 'environ': {'SCRIPT_NAME': '',
>> 'REQUEST_METHOD': 'GET', 'PATH_INFO': '/auth/', 'SERVER_PROTOCOL':
>> 'HTTP/1.0', 'HTTP_USER_AGENT': 'Mozilla/5.0 (Macintosh; Intel Mac OS X
>> 10.8; rv:20.0) Gecko/20100101 Firefox/20.0', 'HTTP_CONNECTION': 'close',
>> 'eventlet.posthooks': [], 'SERVER_NAME': '10.42.44.101', 'REMOTE_ADDR':
>> '10.42.44.5', 'eventlet.input': <eventlet.wsgi.Input object at
>> 0x1fa41d0>, 'wsgi.url_scheme': 'http', 'SERVER_PORT': '8888',
>> 'wsgi.input': <swift.common.utils.InputProxy object at 0x1fa40d0>,
>> 'HTTP_HOST': 'backend', 'swift.cache':
>> <swift.common.memcached.MemcacheRing object at 0x288e750>,
>> 'wsgi.multithread': True, 'HTTP_CACHE_CONTROL': 'max-age=0',
>> 'HTTP_ACCEPT':
>> 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
>> 'wsgi.version': (1, 0), 'GATEWAY_INTERFACE': 'CGI/1.1', 'wsgi.run_once':
>> False, 'wsgi.errors': <swift.common.utils.LoggerFileObject object at
>> 0x185e190>, 'wsgi.multiprocess': False, 'HTTP_ACCEPT_LANGUAGE':
>> 'de-de,de;q=0.8,en-us;q=0.5,en;q=0.3', 'swift.trans_id':
>> 'tx508b08866bbc410399543d98cafa2856', 'CONTENT_TYPE': None,
>> 'HTTP_ACCEPT_ENCODING': 'gzip, deflate'}}
>>
>>
>>
>>
>>
>>
>> export OS_SERVICE_TOKEN=XXX
>> export OS_SERVICE_ENDPOINT=http://10.42.44.101:35357/v2.0
>>
>>
>> root@ns-proxy01:/etc/swift# swift -V 2.0 -A
>> http://10.42.44.101:5000/v2.0 -U admin -K XXX stat
>> Account: AUTH_c2dc53651a73430db9e0551fca4200de
>> Containers: 4354
>> Objects: 2622
>> Bytes: 114207
>> Accept-Ranges: bytes
>> X-Timestamp: 1365601461.87732
>> X-Trans-Id: txa6273bb374d5468da6e4b6ad48929762
>> Content-Type: text/plain; charset=utf-8
>>
>>
>>
>>
>>
>> root@ns-proxy01:/etc/swift# keystone --debug user-list
>> REQ: curl -i http://10.42.44.101:35357/v2.0/users -X GET -H "User-Agent:
>> python-keystoneclient" -H "X-Auth-Token:
>> 6IHBKKwfVnHZf5ifGiQaRQL5u3hdYtPe"
>> RESP: [200] {'date': 'Tue, 16 Apr 2013 09:39:37 GMT', 'content-type':
>> 'application/json', 'content-length': '860', 'vary': 'X-Auth-Token'}
>> RESP BODY: {"users": [{"name": "glance", "id":
>> "03c928bae5ad4a9f90be425c1ff554dd", "tenantId":
>> "054ca85bca2e44c29cf4730e1450517f", "enabled": true, "email": null},
>> {"name": "nova", "id": "140239db8d0244fca7545b76b60ffacd", "tenantId":
>> "054ca85bca2e44c29cf4730e1450517f", "enabled": true, "email": null},
>> {"name": "swift", "id": "3bad84eee3b4432b915b469e1cfef628", "tenantId":
>> "054ca85bca2e44c29cf4730e1450517f", "enabled": true, "email": null},
>> {"name": "ec2", "id": "5f3a39c203b249d4ba003bba7fdca300", "tenantId":
>> "054ca85bca2e44c29cf4730e1450517f", "enabled": true, "email": null},
>> {"name": "admin", "id": "9d7d6509ffee4a82ad52fe5555e8733c", "tenantId":
>> "c2dc53651a73430db9e0551fca4200de", "enabled": true, "email": null},
>> {"name": "ceilometer", "id": "cde44fe9c6d446da99ea370b88ec7d63",
>> "tenantId": "054ca85bca2e44c29cf4730e1450517f", "enabled": true,
>> "email": null}]}
>>
>> +----------------------------------+------------+---------+-------+
>> | id | name | enabled | email |
>> +----------------------------------+------------+---------+-------+
>> | 9d7d6509ffee4a82ad52fe5555e8733c | admin | True | |
>> | cde44fe9c6d446da99ea370b88ec7d63 | ceilometer | True | |
>> | 5f3a39c203b249d4ba003bba7fdca300 | ec2 | True | |
>> | 03c928bae5ad4a9f90be425c1ff554dd | glance | True | |
>> | 140239db8d0244fca7545b76b60ffacd | nova | True | |
>> | 3bad84eee3b4432b915b469e1cfef628 | swift | True | |
>> +----------------------------------+------------+---------+-------+
>>
>>
>>
>>
>>
>>
>>
>> root@ns-proxy01:/etc/swift# curl -k -v -H 'X-Storage-User: admin' -H
>> 'X-Storage-Pass: XXX' -X 'POST' http://10.42.44.101:35357/v2.0/auth
>> * About to connect() to 10.42.44.101 port 35357 (#0)
>> * Trying 10.42.44.101... connected
>>> POST /v2.0/auth HTTP/1.1
>>> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
>> OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
>>> Host: 10.42.44.101:35357
>>> Accept: */*
>>> X-Storage-User: admin
>>> X-Storage-Pass: XXX
>>>
>> < HTTP/1.1 404 Not Found
>> < Vary: X-Auth-Token
>> < Content-Type: application/json
>> < Content-Length: 93
>> < Date: Tue, 16 Apr 2013 09:41:36 GMT
>> <
>> * Connection #0 to host 10.42.44.101 left intact
>> * Closing connection #0
>> {"error": {"message": "The resource could not be found.", "code": 404,
>> "title": "Not Found"}}
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> #############################################################
>> swift-proxy.conf
>>
>> [DEFAULT]
>> bind_port = 8888
>> workers = 8
>> user = swift
>> log_name = swift-proxy
>> log_facility = LOG_LOCAL0
>> log_level = DEBUG
>>
>> [pipeline:main]
>> pipeline = ceilometer catch_errors healthcheck cache tempurl swift3
>> authtoken keystoneauth proxy-logging proxy-server
>> [app:proxy-server]
>>
>> use = egg:swift#proxy
>> allow_account_management = true
>> account_autocreate = true
>>
>> [filter:swift3]
>> use = egg:swift3#swift3
>>
>> [filter:authtoken]
>> paste.filter_factory =
>> keystoneclient.middleware.auth_token:filter_factory
>> delay_auth_decision = 1
>> service_port = 5000
>> service_host = 127.0.0.1
>> auth_protocol = http
>> auth_host = 127.0.0.1
>> auth_port = 35357
>> auth_uri = http://127.0.0.1:5000/
>> #auth_token = xxxxxxxxxxxxxxxxxxxx
>> #admin_tenant_name = service
>> #admin_user = swift
>> #admin_password = xxxxxxxxxxxxxxxxxxxx
>> admin_token = xxxxxxxxxxxxxxxxxxxx
>> cache = swift.cache
>> signing_dir = /tmp/keystone-signing-swift
>>
>> [filter:keystoneauth]
>> use = egg:swift#keystoneauth
>> operator_roles = admin, swiftoperator
>> #default_swift_cluster =
>> netstorage#https://netstorage-ham1-de.internet4you.com:444/v1#http://127.0.0.1:8888/v1
>>
>> allow_account_management = true
>> allow_overrides = true
>>
>> [filter:healthcheck]
>> use = egg:swift#healthcheck
>>
>> [filter:ceilometer]
>> use = egg:ceilometer#swift
>>
>> [filter:cache]
>> use = egg:swift#memcache
>> memcache_servers = 10.42.44.101:11211,10.42.44.102:11211
>>
>> [filter:tempurl]
>> use = egg:swift#tempurl
>>
>> [filter:catch_errors]
>> use = egg:swift#catch_errors
>>
>> [filter:proxy-logging]
>> use = egg:swift#proxy_logging
>> #############################################################
>>
>>
>>
>>
>>
>> #############################################################
>> keystone.conf
>> [DEFAULT]
>> admin_token = 6IHBKKwfVnHZf5ifGiQaRQL5u3hdYtPe
>> bind_host = 0.0.0.0
>> public_port = 5000
>> admin_port = 35357
>> compute_port = 8774
>> debug = True
>> verbose = True
>> log_file = keystone.log
>> log_dir = /var/log/keystone
>> use_syslog = False
>>
>> [sql]
>> connection = mysql://keystone:xxxxxxxxxxxxxxxx@123.123.123.123/keystone
>> idle_timeout = 200
>> min_pool_size = 5
>> max_pool_size = 10
>> pool_timeout = 200
>>
>> [identity]
>> driver = keystone.identity.backends.sql.Identity
>>
>> [trust]
>> [catalog]
>> driver = keystone.catalog.backends.sql.Catalog
>> [token]
>> driver = keystone.token.backends.sql.Token
>> expiration = 86400
>> [policy]
>> driver = keystone.policy.backends.sql.Policy
>> [ec2]
>> driver = keystone.contrib.ec2.backends.kvs.Ec2
>> [ssl]
>> [signing]
>> token_format = UUID
>> [ldap]
>> [auth]
>> methods = password,token
>> password = keystone.auth.plugins.password.Password
>> token = keystone.auth.plugins.token.Token
>> [filter:debug]
>> paste.filter_factory = keystone.common.wsgi:Debug.factory
>> [filter:token_auth]
>> paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
>> [filter:admin_token_auth]
>> paste.filter_factory =
>> keystone.middleware:AdminTokenAuthMiddleware.factory
>> [filter:xml_body]
>> paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory
>> [filter:json_body]
>> paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
>> [filter:user_crud_extension]
>> paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
>> [filter:crud_extension]
>> paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
>> [filter:ec2_extension]
>> paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
>> [filter:s3_extension]
>> paste.filter_factory = keystone.contrib.s3:S3Extension.factory
>> [filter:url_normalize]
>> paste.filter_factory = keystone.middleware:NormalizingFilter.factory
>> [filter:sizelimit]
>> paste.filter_factory = keystone.middleware:RequestBodySizeLimiter.factory
>> [filter:stats_monitoring]
>> paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory
>> [filter:stats_reporting]
>> paste.filter_factory = keystone.contrib.stats:StatsExtension.factory
>> [filter:access_log]
>> paste.filter_factory =
>> keystone.contrib.access:AccessLogMiddleware.factory
>> [app:public_service]
>> paste.app_factory = keystone.service:public_app_factory
>> [app:service_v3]
>> paste.app_factory = keystone.service:v3_app_factory
>> [app:admin_service]
>> paste.app_factory = keystone.service:admin_app_factory
>> [pipeline:public_api]
>> pipeline = access_log sizelimit stats_monitoring url_normalize
>> token_auth admin_token_auth xml_body json_body debug ec2_extension
>> user_crud_extension public_service
>> [pipeline:admin_api]
>> pipeline = access_log sizelimit stats_monitoring url_normalize
>> token_auth admin_token_auth xml_body json_body debug stats_reporting
>> ec2_extension s3_extension crud_extension admin_service
>> [pipeline:api_v3]
>> pipeline = access_log sizelimit stats_monitoring url_normalize
>> token_auth admin_token_auth xml_body json_body debug stats_reporting
>> ec2_extension s3_extension service_v3
>> [app:public_version_service]
>> paste.app_factory = keystone.service:public_version_app_factory
>> [app:admin_version_service]
>> paste.app_factory = keystone.service:admin_version_app_factory
>> [pipeline:public_version_api]
>> pipeline = access_log sizelimit stats_monitoring url_normalize xml_body
>> public_version_service
>> [pipeline:admin_version_api]
>> pipeline = access_log sizelimit stats_monitoring url_normalize xml_body
>> admin_version_service
>> [composite:main]
>> use = egg:Paste#urlmap
>> /v2.0 = public_api
>> / = public_version_api
>> [composite:admin]
>> use = egg:Paste#urlmap
>> /v2.0 = admin_api
>> / = admin_version_api
>> #############################################################
>>
>>
>>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>
>
Follow ups
References